Torii malware could be gateway to more sophisticated IoT botnet attacks

A torii is a Japanese gate often found in front of a Shinto shrine. Many of the Mirai IoT variants have been given Japanese-inspired monikers.

Researchers have discovered yet another Internet of Things botnet derived from Mirai — but instead of conducting DDoS attacks or cryptomining like most variants, this one’s core functionality is exfiltrating information and executing malicious commands.

Making matters worse, the malware’s potential target list is unusually large, considering that it supports attacks against a variety of architectures, including MIPS, ARM, x86, x64, PowerPC and SuperH.

Researchers from Avast detailed the new botnet malware, named Torii, in a company blog post yesterday, noting that it’s been active since at least December 2017.

The Torii campaign infects its victims by executing a sophisticated shell script via telnet attacks on devices with weak credentials. This script then uses multiple commands to download, via HTTP or FTP, a binary payload in the .elf format, which acts as a dropper specifically tailored to the host environment.

The dropper than introduces the second-stage .elf payload, using at least six persistence techniques to increase its odds of long-term success.

In a company blog post, Avast describes the second-stage payload as a “full-fledged bot capable of executing commands from its master (CnC),” including commands for storing, downloading deleting files. “It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc…”

Avast credited security expert Dr. Vesselin Bontchev, who first caught wind of Torii earlier this month after his honeypots captured a sample of the malware.

“My honeypot just caught something substantially new. Spreads via Telnet but not your run-of-the-mill Mirai variant or Monero miner…” reads a Sept. 19 tweet from Bontchev. “First stage is just a few commands that download a rather sophisticated shell script, disguised as a CSS file.”

In a follow-up tweet, Bontchev notes that “the author is not your average script kiddie Mirai modder.”

Rod Soto, director of security research at JASK, said in emailed comments that poor security practices in the IoT space open the door to campaigns like this.

“IoT devices have proven to be vulnerable and, in many cases, are not upgradeable or patchable to mitigate the security risks they pose. As long as there are millions of these devices without strong security protections in place, there will continue to be many versions of Mirai and Torii-like botnets, as the primary ingredient to build them is still prevalent,” said Soto. “To solve this, a serious approach of decommissioning and hardening these devices before they go into production must be done.”